CNIT 40: 2: DNS Protocol and Architecture
SamBowne
3,246 views
46 slides
Sep 13, 2016
Slide 1 of 46
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
About This Presentation
Slides for a college course based on "DNS Security" by Anestis Karasaridis.
Teacher: Sam Bowne
Website: https://samsclass.info/40/40_F16.shtml
Slide Content
DNS Security
Ch 2: DNS Overview: Protocol,
Architecture, and Applications
Updated 9-13-16
Ch 2: DNS Overview: Protocol,
Architecture, and Applications
Updated 9-13-16
History
•On ARPANet, host names were mapped to
IP addresses in a hosts.txt file stored on a
single master server
•Other machines downloaded copies of
hosts.txt periodically
•Unix stored this information in /etc/hosts
•This technique didn't scale well. DNS
started in 1983.
•On ARPANet, host names were mapped to
IP addresses in a hosts.txt file stored on a
single master server
•Other machines downloaded copies of
hosts.txt periodically
•Unix stored this information in /etc/hosts
•This technique didn't scale well. DNS
started in 1983.
Design Principles
•Distributed storage
–DNS data split across many servers
–Smaller storage requirements for each server
–Faster transfer of information
–No single point of failure
•Hierarchical organization of data
–Allows local control of names and avoids
name conflicts
•Distributed storage
–DNS data split across many servers
–Smaller storage requirements for each server
–Faster transfer of information
–No single point of failure
•Hierarchical organization of data
–Allows local control of names and avoids
name conflicts
DNS Name Structure
•Up to four labels separated by dots form a
Fully Qualified Domain Name (FQDN)
hills.ccsf.edu
Top Level
Domain
(TLD)
Second Level
Domain (SLD){
{
Host
name{
•Up to four labels separated by dots form a
Fully Qualified Domain Name (FQDN)
hills.ccsf.edu
Top Level
Domain
(TLD)
Second Level
Domain (SLD){
{
Host
name{
Hierarchical DNS Namespace
DNS Zones
•Data for a domain and all
or some of its subdomains
is called a zone
•All of CCSF could be one
zone, containing
–ns.ccsf.edu
–www.ccsf.edu
–mail.ccsf.edu
edu
.
www mailns
ccsf
•Data for a domain and all
or some of its subdomains
is called a zone
•All of CCSF could be one
zone, containing
–ns.ccsf.edu
–www.ccsf.edu
–mail.ccsf.edu
edu
.
www mailns
ccsf
Domain Delegation
•CCSF could have
separate
nameservers on each
campus, each
responsible for their
own subdomain
•The ccsf.edu parent
domain would
delegate
responsibility for a
subdomain to each
campus, making
many zones
•URLs would be longer
–www.ocean.ccsf.edu
edu
.
missionevansocean
ccsf
nswww nswww
nswww
•CCSF could have
separate
nameservers on each
campus, each
responsible for their
own subdomain
•The ccsf.edu parent
domain would
delegate
responsibility for a
subdomain to each
campus, making
many zones
•URLs would be longer
–www.ocean.ccsf.edu
edu
.
missionevansocean
ccsf
nswww nswww
nswww
DNS Clients, Servers, and Resolvers
•DNS Client
–A program like a Web browser using a domain
name like www.ccsf.edu
•DNS Server
–Stores and serves DNS data
•DNS Resolver
–Software that accepts a query from a client,
queries one or more DNS servers, and replies
to the client
•DNS Client
–A program like a Web browser using a domain
name like www.ccsf.edu
•DNS Server
–Stores and serves DNS data
•DNS Resolver
–Software that accepts a query from a client,
queries one or more DNS servers, and replies
to the client
DNS Servers
•Authoritative servers
manage information about a
domain
–SOA (Start Of Authority)
•Caching servers store data
they copied from other
servers
–Not authoritative for any
domain
–Cache records have a Time To
Live (TTL)
–Specified by SOA for each
record
•Authoritative servers
manage information about a
domain
–SOA (Start Of Authority)
•Caching servers store data
they copied from other
servers
–Not authoritative for any
domain
–Cache records have a Time To
Live (TTL)
–Specified by SOA for each
record
DNS Queries
•Recursive query
–Server will find the answer, even if it has to
query other servers to get it
–Server will not respond with a referral to
another server
•Iterative query
–If server does not have the answer, it will
send a referral to another DNS server
–Requester has to send another query to hunt
for the answer
•Recursive query
–Server will find the answer, even if it has to
query other servers to get it
–Server will not respond with a referral to
another server
•Iterative query
–If server does not have the answer, it will
send a referral to another DNS server
–Requester has to send another query to hunt
for the answer
DNS Forwarder
•Only external queries
are sent to the
forwarder in this
example
•Can reduce traffic
through slow or
expensive links
•Because it can cache
more records
•Only external queries
are sent to the
forwarder in this
example
•Can reduce traffic
through slow or
expensive links
•Because it can cache
more records
DNS Resolvers
•Receive requests from client applications
•Query DNS servers
•Can cache data
•Stub resolver
–Resolver connected to only one recursive server
–Cannot follow referrals
–Part of the operating system on the end device
–Windows stub resolver caches
–Linux stub resolver does not cache
•Receive requests from client applications
•Query DNS servers
•Can cache data
•Stub resolver
–Resolver connected to only one recursive server
–Cannot follow referrals
–Part of the operating system on the end device
–Windows stub resolver caches
–Linux stub resolver does not cache
Local DNS Server
•Provided by Internet Service Provider (ISP)
•Configured at the client manually or by
DHCP
•Provided by Internet Service Provider (ISP)
•Configured at the client manually or by
DHCP
Typical Name Resolution Scenario
ns
ccsf
Stub
resolver
in OS
Local
DNS
Server
Query: Where is
www.ccsf.edu?
Query: Where is
the SOA for edu?
Query: Where is the
SOA for ccsf.edu?
edu
.
Query: Where is
www.ccsf.edu?
ns
ccsf
Stub
resolver
in OS
Local
DNS
Server
Query: Where is
www.ccsf.edu?
Query: Where is
the SOA for edu?
Query: Where is the
SOA for ccsf.edu?
edu
.
Query: Where is
www.ccsf.edu?
DNS Replication
•Master server contains primary zone files
•Slave servers have copies of the zone
files
•Zone transfer
–The process of copying the files
•Master server contains primary zone files
•Slave servers have copies of the zone
files
•Zone transfer
–The process of copying the files
Root Servers
•Named .
–"dot"
•Has pointers to the top-level domains
–com, biz, mil, net, and so on
•If a DNS server has no data in the cache,
e. g. after a reboot
–Receives a recursive query
–Is not the SOA for that domain
–Must query root to find the TLD servers
•Named .
–"dot"
•Has pointers to the top-level domains
–com, biz, mil, net, and so on
•If a DNS server has no data in the cache,
e. g. after a reboot
–Receives a recursive query
–Is not the SOA for that domain
–Must query root to find the TLD servers
Root Servers
•Hundreds of servers
•Dispersed around the world
•13 domain names
–a.root-servers.net
–b.root-servers.net
–...
–m.root-servers.net
•Hundreds of servers
•Dispersed around the world
•13 domain names
–a.root-servers.net
–b.root-servers.net
–...
–m.root-servers.net
DNS Resource Record Types
and Classes
Each data element in DNS is
called a Resource Record (RR)
and Classes
Each data element in DNS is
called a Resource Record (RR)
Common RR Types
A IPv4 address of host
AAAA IPv6 address of host
MX Mail exchange
PTR Host name corresponding to IP
address
NS Host name of SOA name server
CNAME Canonical Name: alias
SOA Attributes of zone
TXT General information
A IPv4 address of host
AAAA IPv6 address of host
MX Mail exchange
PTR Host name corresponding to IP
address
NS Host name of SOA name server
CNAME Canonical Name: alias
SOA Attributes of zone
TXT General information
Common RR Types
NAPTR Naming Authority Pointer
SRV Service (for specific applications)
SPF Sender Policy Framework
(used to control spam)
Also included in TXT records as a
transitional mechanism
DNSKEY, DS, RRSIG, NSEC for DNSSEC
NAPTR Naming Authority Pointer
SRV Service (for specific applications)
SPF Sender Policy Framework
(used to control spam)
Also included in TXT records as a
transitional mechanism
DNSKEY, DS, RRSIG, NSEC for DNSSEC
dig any ccsf.edu
dig any ietf.org
DNS Looking Glass
Reverse DNS Resolutions
•Start with IP address and query to find the
domain name
•Used to block spam email
–If IP address of server doesn't have a valid
domain name, or the domain name is
blacklisted, the email is rejected
•Start with IP address and query to find the
domain name
•Used to block spam email
–If IP address of server doesn't have a valid
domain name, or the domain name is
blacklisted, the email is rejected
PTR Records for RDNS
•Reverse the order of the IP address
•Add "in-addr.arpa"
•For example, 147.144.1.212 becomes
•212.1.144.147.in-addr.arpa.
•Reverse the order of the IP address
•Add "in-addr.arpa"
•For example, 147.144.1.212 becomes
•212.1.144.147.in-addr.arpa.
Reverse DNS Lookup
Forward Lookup for Google
Reverse Lookup for Google
•Flags specify:
–Query or Response
–Forward or Reverse
–Recursive or Iterative
–Query or Response
–Forward or Reverse
–Recursive or Iterative
Glue Records
•If the SOA for ccsf.edu is ns3.ccsf.edu
the system fails
–Q: Where is www.ccsf.edu?
–A: Ask ns3.ccsf.edu
–Q: Where is ns3.ccsf.edu?
–A: Ask ns3.ccsf.edu
•To prevent this, each domain has a glue
record in their top-level domain zone
specifying the IP address of the SOA
•If the SOA for ccsf.edu is ns3.ccsf.edu
the system fails
–Q: Where is www.ccsf.edu?
–A: Ask ns3.ccsf.edu
–Q: Where is ns3.ccsf.edu?
–A: Ask ns3.ccsf.edu
•To prevent this, each domain has a glue
record in their top-level domain zone
specifying the IP address of the SOA
Viewing Glue Records with dig
1. Find a .edu root NS server
1. Find a .edu root NS server
2. dig NS domain @root
IPv4 Glue for Google
•1. NS servers for .com
•1. NS servers for .com
IPv4 Glue Records for Google
Bind Version Query
•From c. 2015
•From c. 2015
Bind Version Query 9-13-16
ISC.ORG (Authors of Bind)
Common Server Architectures
Small Company: Outsource DNS
Medium
Company
•Internal and
external DNS
servers
•Only public
servers like
www and mx
on external
DNS servers
Company
•Internal and
external DNS
servers
•Only public
servers like
www and mx
on external
DNS servers
Large Company
Hierarchical
Caching
Architecture
Caching
Architecture
Anycast
Categories
EducationDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 3,246
- Slides 46
- Favorites 2
- Age 3370 days
Related Slideshows
11
TLE-9-Prepare-Salad-and-Dressing.pptxkkk
MaAngelicaCanceran
34 views
12
LESSON 1 ABOUT MEDIA AND INFORMATION.pptx
JojitGueta
28 views
60
GRADE-8-AQUACULTURE-WEEKQ1.pdfdfawgwyrsewru
MaAngelicaCanceran
45 views
26
Feelings PP Game FOR CHILDREN IN ELEMENTARY SCHOOL.pptx
KaistaGlow
44 views
![Jeopardy_Figures_of_Speech_Template.pptx [Autosaved].pptx](https://slidepub.com/thumb/5828/284015828.jpg)
54
Jeopardy_Figures_of_Speech_Template.pptx [Autosaved].pptx
acecamero20
28 views
7
Jeopardy_Figures_of_Speech.pptxvdsvdsvsdvsd
acecamero20
29 views